On Your IBM i Radar Now: GDPR
October 19, 2016 Alex Woodie
IBM i shops that have European customers, take note: In about 18 months, you will need to comply with the General Data Protection Regulation (GDPR), or face hefty fines. That’s not much time to come to grips with a data privacy law that’s been called “PCI on steroids” and an “IRS audit of your data,” but that’s the reality nonetheless.
If you’re wondering what the heck this GDPR thing is, you’re not alone. A survey conducted by Dell last month indicates that fewer than 20 percent of company representatives were even aware of GDPR. But as the old saying goes, ignorance of the law is no defense, so you’d do well to study up.
The law was passed by the European Commission earlier this year to give European citizens more control over how companies use their data. There are some pretty strict provisions in the new law requiring companies to take steps to protect their data from loss, not to mention the controversial “right to be forgotten” provision that has some U.S. companies on edge.
GDPR only impacts companies that have European customers–or more specifically, customers from countries that are in the European Union (the United Kingdom is working on its own version of the law post Brexit.) It doesn’t matter whether the company holding the data of a European citizen is big or small, publicly or privately held, based in Timbuktu or New York City. Experts say there will be an enforcement mechanism in place in the United States by May 2018 to make sure that if you’re handling data that’s covered by the law, then you will be subject to it.
GDPR has several provisions for how data should be handled. For starters, sensitive data must be protected, such as through encryption or masking. In this respect, GDPR is similar to PCI-DSS, the industry-based initiative to regulate the handling of credit card information. It’s also similar in some respects to the data privacy components of HIPAA, the healthcare law that protects health-related data for Americans.
However, the definition of sensitive data is quite broad under GDPR. It could be your name or address, or even a Facebook or Twitter handle. This wide interpretation is meant to be a roadblock to slow down rampant use of people’s names in marketing initiatives. In particular, it’s designed to quell the unregulated buying and selling of blocks of names and numbers that unscrupulous vendors use to generate demand, not to mention the trade in truly sensitive data by black hats and identity thieves.
Right To Be Forgotten
Under the new law, European citizens have the right to request a company that they have formerly done business with to remove all of their data from their systems. This is the so-called “right to be forgotten” law that surprised many large Internet firms like Google and Facebook when the European Court of Justice passed it two years ago.
GDPR gives real teeth to this law, by ensuring European citizens the right to demand reports proving their sensitive data has been wiped from their systems. For big companies that manage lots of databases, this could prove to be a difficult provision, says John Wethington, a data privacy expert with www.mysensitivedata.com.
“In surveys we’ve done, 92 percent of companies don’t even know where all their sensitive data is in their environment right now,” Wethington tells IT Jungle. “They’re scrambling just to get a clear understanding of where their data is. . . . They literally have no sense of where it is.”
In the IBM i world, it’s not much better. Robin Tatam, director of security technologies for HelpSystems and its PowerTech subsidiary, says that in his experience, most IBM i customers do not have a firm handle on where their sensitive data lies.
“I rarely hear of any form of database ‘map’ that defines what types and levels of sensitive data exists and where it’s stored,” Tatam says. “Database normalization should limit data duplication, but as a programmer I have seen fields containing information such as social security numbers and addresses scattered around like autumn leaves.”
Data governance is a big issue for large companies juggling data silos. For the small company that keeps all its sensitive data on the IBM i server, it won’t be such a big deal. But for larger companies that have some data on the IBM i server and some of their data elsewhere, such as a marketing database or a data warehouse (which is arguably a more common pattern in this day and age), reconciling a single person’s records sitting across and multiple systems will be a difficult proposition.
But wait! We haven’t even gotten to the best part of GDPR–the penalties.
Under GDPR, the consequences of mishandling a European citizen’s data are severe. Failure to comply with any of the provisions can result in a fine of €20 million or 4 percent of the company’s global annual revenue, whichever is greater. The fines apparently will reside in a fund to fuel more collections (as opposed to the EU’s general fund), creating a virtuous cycle of compliance, and an end to data breaches (or so one hopes).
“There’s money behind this,” Wethington says. “Those guys are motivated to go find these things. Where we’ve seen the US lagging behind, we’ve seen the European Commission take a much more aggressive stance, fining people and even in some cases compelling organizations to close their doors.”
Chances seem good that the US will pass its own version of the GDPR, thereby giving American citizens similar digital protections that Europeans will soon be getting. HelpSystems’ Tatam says the GDPR is an example of how multi-national cooperation can result in a focus on data security.
“Time will tell whether the upcoming new US administration will be able to succeed where others have been unable,” he tells IT Jungle. “This is a critical initiative as more examples surface of highly funded breaches.”
As it stands today, however, the overall lack of security controls in place in IBM i systems bodes poorly for compliance with GDPR. As Tatam explains, the amazing forward compatibility of the IBM i platform means you can take a tape backup from an AS/400 in 1988, and restore it on a modern Power 8 server, and everything will work fine. That may seem great, but it’s a mixed blessing.
“When we look from a security and compliance standpoint, we discover that most servers are still operating with the same restored system values, user profiles, and object authorities” from 1988, he says. “Bear in mind that these configurations may predate the personal computer and network connectivity. These security elements are simply migrated untouched to the next generation of the server. Unfortunately, organizations tend not to perform a post-upgrade review of the security environment, instead choosing to move on to the next project on the list. So yes, they are equipped. But they are far from prepared!”
Unfortunately, the ongoing push to put guardrails on the handling of data, and incentivize good security and privacy practices will inevitably lead to more regulations of data, not less.
“It’s only going to get stronger, especially as the economy grows in such a way that we’re collecting more and more information every single day,” Wethington says. “We have a responsibility to protect it. I think security has become a back burner pain in everybody’s side. It’s been treated as a hindrance to innovation, whereas it should be at the forefront. It should be the first thing we think about.”